US12021854B2ActiveUtilityA1

Secure permissioning of access to user accounts, including secure deauthorization of access to user accounts

92
Assignee: PLAID INCPriority: Sep 8, 2015Filed: Dec 5, 2022Granted: Jun 25, 2024
Est. expirySep 8, 2035(~9.2 yrs left)· nominal 20-yr term from priority
H04L 63/0892H04L 9/3213H04L 9/3228H04W 12/082G06Q 20/385H04L 2463/102H04W 12/06H04L 63/0807
92
PatentIndex Score
1
Cited by
427
References
20
Claims

Abstract

A permissions management system is disclosed for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials. The system enables the user to also securely de-authorize the third-party system. For example, records may be automatically generated that securely store account information, including one or more permissions related to the account and/or the third-party. A token associated with a record may be shared with the third-party system, but neither the record itself, nor the user account credentials, may be shared with the third-party. Accordingly, the third-party may request user account data and/or initiate transactions by providing the token, but does not itself know, e.g., the user account credentials. Further, the user may set various permissions related to the token, and may also revoke the token (e.g., de-authorize the third-party), thus providing increased security to the user's account.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method for enabling secure transactions without sharing user information with an external application, comprising:
 receiving, by a permissions management computing platform and via a normalized application programming interface (API), a request to authorize use of user account data associated with a user account held by a financial institution having a user application specific to the financial institution that enables users of the financial institution to access data stored by the financial institution via a non-public API specific to the financial institution, wherein the request to authorize use of the user account data includes one or more permissions limiting at least one of: use of the user account data by an external application system or access to the user account data by the external application system; 
 retrieving, by the permissions management computing platform and from a plurality of stored application proxy instances, an application proxy instance associated with the financial institution, wherein the application proxy instance includes a virtualized image of the user application specific to the financial institution; 
 initiating, by the permissions management computing platform and using the application proxy instance interfacing with the non-public API specific to the financial institution, a communication session with the financial institution; 
 retrieving, by the permissions management computing platform and via the communication session, the user account data; 
 generating, by the permissions management computing platform, an electronic record including the user account data and the one or more permissions; 
 storing, by the permissions management computing platform, the electronic record; 
 generating, by the permissions management computing platform, a token identifying the electronic record; 
 transmitting, by the permissions management computing platform, the token to the external application system; 
 receiving, by the permissions management computing platform and from the external application system, a request for transaction processing for a transaction associated with the user, wherein the request for transaction processing includes transaction details and the token; 
 retrieving, by the permissions management computing platform and based on the token, the electronic record; 
 comparing, by the permissions management computing platform, the transaction details to the one or more permissions in the electronic record to determine whether the external application system is authorized to process the transaction; 
 determining, by the permissions management computing platform and based on the comparing, that the external application system is authorized to process the transaction; and 
 processing, by the permissions management computing platform and using the user account data, the transaction. 
 
     
     
       2. The method of  claim 1 , wherein the token is generated based on an encrypted hash of one or more elements of the electronic record. 
     
     
       3. The method of  claim 1 , wherein the electronic record further includes a user identifier and an identifier of the external application system. 
     
     
       4. The method of  claim 1 , wherein the electronic record corresponds to a combination of the user and the external application system. 
     
     
       5. The method of  claim 1 , wherein the request to authorize use of the user account data is received via a permissions plug-in integrated into the external application system and configured to securely communicate information to the permissions management computing platform. 
     
     
       6. The method of  claim 5 , wherein the permissions plug-in integrated into the external application system prevents access to the user account data by the external application system. 
     
     
       7. The method of  claim 1 , further including:
 receiving, by the permissions management computing platform, a request to modify the authorization to use the user account data; and 
 processing, by the permissions management computing platform, the request to modify the authorization to use the user account data by modifying the electronic record. 
 
     
     
       8. The method of  claim 7 , wherein modifying the authorization to use the user account data includes requesting de-authorization of the external application system to use the user account data and wherein modifying the electronic record includes deleting the electronic record. 
     
     
       9. The method of  claim 7 , wherein modifying the electronic record includes modifying the one or more permissions limiting at least one of: use of the user account data by the external application system or access to the user account data by the external application system. 
     
     
       10. The method of  claim 9 , further including:
 receiving, by the permissions management computing platform and from the external application system, a subsequent request for transaction processing for a subsequent transaction associated with the user, wherein the subsequent request for transaction processing includes subsequent transaction details and the token; 
 retrieving, by the permissions management computing platform and based on the token, the modified electronic record; 
 comparing, by the permissions management computing platform, the subsequent transaction details to the modified one or more permissions in the modified electronic record to determine whether the external application system is authorized to process the transaction; 
 determining, by the permissions management computing platform and based on the comparing, that the external application system is not authorized to process the transaction; and 
 transmitting, by the permissions management computing platform, a notification to the external application system denying the subsequent request for transaction processing. 
 
     
     
       11. A permissions management computing platform for enabling secure transactions without sharing user information with an external application, comprising:
 at least one hardware processor; 
 a communication interface communicatively coupled to the at least one hardware processor; and 
 a memory storing computer-readable instructions that, when executed by the at least one hardware processor, cause the permissions management computing platform to:
 receive, via a normalized application programming interface (API), a request to authorize use of user account data associated with a user account held by a financial institution having a user application specific to the financial institution that enables users of the financial institution to access data stored by the financial institution via a non-public API specific to the financial institution, wherein the request to authorize use of the user account data includes one or more permissions limiting at least one of: use of the user account data by an external application system or access to the user account data by the external application system; 
 retrieve, from a plurality of stored application proxy instances, an application proxy instance associated with the financial institution, wherein the application proxy instance includes a virtualized image of the user application specific to the financial institution; 
 initiate, using the application proxy instance interfacing with the non-public API specific to the financial institution, a communication session with the financial institution; 
 retrieve, via the communication session, the user account data; 
 generate an electronic record including the user account data and the one or more permissions; 
 store the electronic record; 
 generate a token identifying the electronic record; 
 transmit the token to the external application system; 
 receive, from the external application system, a request for transaction processing for a transaction associated with the user, wherein the request for transaction processing includes transaction details and the token; 
 retrieve, based on the token, the electronic record; 
 compare the transaction details to the one or more permissions in the electronic record to determine whether the external application system is authorized to process the transaction; 
 determine, based on the comparing, that the external application system is authorized to process the transaction; and 
 process the transaction using the user account data. 
 
 
     
     
       12. The permissions management computing platform of  claim 11 , wherein the token is generated based on an encrypted hash of one or more elements of the electronic record. 
     
     
       13. The permissions management computing platform of  claim 11 , wherein the electronic record further includes a user identifier and an identifier of the external application system. 
     
     
       14. The permissions management computing platform of  claim 11 , wherein the electronic record corresponds to a combination of the user and the external application system. 
     
     
       15. The permissions management computing platform of  claim 11 , wherein the request to authorize use of the user account data is received via a permissions plug-in integrated into the external application system and configured to securely communicate information to the permissions management computing platform. 
     
     
       16. The permissions management computing platform of  claim 15 , wherein the permissions plug-in integrated into the external application system prevents access to the user account data by the external application system. 
     
     
       17. The permissions management computing platform of  claim 11 , further including instructions that, when executed by the at least one processor, cause the permissions management computing platform to:
 receive a request to modify the authorization to use the user account data; and 
 process the request to modify the authorization to use the user account data by modifying the electronic record. 
 
     
     
       18. The permissions management computing platform of  claim 17 , wherein modifying the electronic record includes modifying the one or more permissions limiting at least one of: use of the user account data by the external application system or access to the user account data by the external application system. 
     
     
       19. The permissions management computing platform of  claim 11 , further including instructions that, when executed by the at least one processor, cause the permissions management computing platform to:
 receive, from the external application system, a subsequent request for transaction processing for a subsequent transaction associated with the user, wherein the subsequent request for transaction processing includes subsequent transaction details and the token; 
 retrieve, based on the token, the modified electronic record; 
 compare the subsequent transaction details to the modified one or more permissions in the modified electronic record to determine whether the external application system is authorized to process the transaction; 
 determine, based on the comparing, that the external application system is not authorized to process the transaction; and 
 transmit a notification to the external application system denying the subsequent request for transaction processing. 
 
     
     
       20. One or more non-transitory computer-readable media storing instructions that, when executed, cause a permissions management computing platform for enabling secure transactions without sharing user information with an external application to:
 receive, via a normalized application programming interface (API), a request to authorize use of user account data associated with a user account held by a financial institution having a user application specific to the financial institution that enables users of the financial institution to access data stored by the financial institution via a non-public API specific to the financial institution, wherein the request to authorize use of the user account data includes one or more permissions limiting access to at least one of: use of the user account data by an external application system or access to the user account data by the external application system; 
 retrieve, from a plurality of stored application proxy instances, an application proxy instance associated with the financial institution, wherein the application proxy instance includes a virtualized image of the user application specific to the financial institution; 
 initiate, using the application proxy instance interfacing with the non-public API specific to the financial institution, a communication session with the financial institution; 
 retrieve, via the communication session, the user account data; 
 generate an electronic record including the user account data and the one or more permissions; 
 store the electronic record; 
 generate a token identifying the electronic record; 
 transmit the token to the external application system; 
 receive, from the external application system, a request for transaction processing for a transaction associated with the user, wherein the request for transaction processing includes transaction details and the token; 
 retrieve, based on the token, the electronic record; 
 compare the transaction details to the one or more permissions in the electronic record to determine whether the external application system is authorized to process the transaction; 
 determine, based on the comparing, that the external application system is authorized to process the transaction; and 
 process the transaction using the user account data.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.